Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!mips!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: microsoft!c-rossgr@uunet.uu.net
Newsgroups: comp.virus
Subject: Re: Review of Norton Antivirus (PC)
Message-ID: <0002.9104101503.AA06496@ubu.cert.sei.cmu.edu>
Date: 8 Apr 91 17:55:49 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 48
Approved: krvw@sei.cmu.edu

>Date:    Thu, 28 Mar 91 16:13:24 +0000
>From:    tzdroj@hpuxa.acs.ohio-state.edu (Tomasz R. Zdrojewski)
>
>The NAV program is not suitable for normal virus removal. It a
>personal test, I was able to infect my command.com, NAV itself and
>quite a few other files. The program ignored the sample virus I ran
>and said the system was fine. I would only recommend it for its
>ability to add new virus tags.

Not to take away from Norton's new entry in the anti-virus field, lots
of scanners have the ability to add new virus tags through an external
file, including my own.

In fact, to document this file for the first time publicly:

1)  The file must be on the C: drive in a directory called "C:\VIREXPC"
2)  The file must be called "VIREXPC.VIR"
3)  The file consists of lines.  Each line starts with a 'P', a 'B' or a '#'.
    A line starting with a '#' is a comment line.
    A line starting with a 'P' is a "Program Virus"
    A line starting with a 'B' is a "Boot Virus"
4)  Following the 'B' or 'P' is a single space.
5)  Following the single space is the hex representation of upto sixteen
    bytes of signature information.  Although you may have less then
    sixteen bytes, you must have at least ten bytes.  Additionally, you
    must have an even number of bytes.  This is the ASCII representation
    of the value of these signature bytes:  If searching for 'AB', then the
    resulting hex search string would be "4141".
6)  Optionally, after the signature bytes maybe come a checksum and a
    "nasty" flag.
    If you're including either, follow the signature bytes by a single
    space.
    If the virus is a "nasty" virus -- one that you'd want to halt the
    scanner if you find it in memory, use the "Nasty Virus" flag: a single
    exclamation point.
    The checksum is a simple unsigned checksum of the signature byte's
    real value: not the value of the ASCII representation of these values,
    but the actual values.

An example:

# This here is a comment
P ProgVName 123434565678789090121234 1234!

No, the checksums don't add up on that example.

Ross M. Greenberg
 Author, Virex-PC & FLU_SHOT+